Data ONTAP Discussions

Highlighted

OpenSSH 7.4 Not Installed

Hello,

I have an FAS2554 system that is off support so asking here.  The system was upgraded to 9.7P1 recently.  Our Qualys scanner tagged the array as not running openssh 7.4 even though this should of been fixed in 9.3P6 per https://security.netapp.com/advisory/ntap-20171130-0002/.

Any ideas on how to fix this?  Did I miss something during the upgrade? I did use the non data encryption image during all upgrades.

Thank you

Chris

 

Telnet to the vip shows:

 telnet 192.168.X.X 22
Trying 192.168.X.X...
Connected to 192.168.X.X.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2 FreeBSD-20160310

Protocol mismatch.
Connection closed by foreign host.
           Package   Start      Completion              Previous  Updated
Status     Version   Time       Time       Component ID Version   Version
---------- --------- ---------- ---------- ------------ --------- ---------
successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   17:05:01   hostname    
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   18:53:43   hostname    
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   12:53:53   hostname    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:19:58   hostname    
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:16:11   hostname    
successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   18:17:48   hostname    
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   19:12:49   hostname    
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   13:12:31   hostname    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:38:23   hostname    
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:35:00   
10 entries were displayed.

 

Any ideas on how to fix this?  Did I miss something during the upgrade?

3 REPLIES 3
Highlighted

Re: OpenSSH 7.4 Not Installed

Very possibly something is wrong.

If I am reading that correctly:

successful 9.1P20    3/17/2020  3/17/2020  hostname     8.3.2P2   9.1P20
                     16:43:30   17:05:01   hostname
Less than 90 minutes later 
successful 9.3P18    3/17/2020  3/17/2020  hostname     9.1P20    9.3P18
                     18:33:20   18:53:43   hostname    
About 18 hours later:
successful 9.4P8     3/18/2020  3/18/2020  hostname     9.3P18    9.4P8
                     12:32:54   12:53:53   hostname
About 2 hours later:    
successful 9.5P11    3/18/2020  3/18/2020  hostname     9.4P8     9.5P11
                     14:58:55   15:19:58   hostname   
And finally 32 minutes later: 
successful 9.7P1     3/18/2020  3/18/2020  hostname     9.5P11    9.7P1
                     15:51:29   16:16:11   hostname
 

 

That's really aggressive. I would never have tried that. As a rule, I like to let the upgrade settle for at least 24 hours to let any long-running background processes finish. What does "cluster upgrade-revert show" indicate?

 

It is possible that it is a display issue. The BUG associated with this was fixed in 9.3P6 and all releases forward

Highlighted

Re: OpenSSH 7.4 Not Installed

The cluster is not prod. We have 2 others to upgrade that are prod so I am using this one to experiment.

I just fixed some TLS1 issues with this - https://kb.netapp.com/app/answers/answer_view/a_id/1029776/~/how-to-harden-ontap-9-tls-configuration-

SSH still shows 7.2 after TLS fix.

There doesn't appear to be a  'cluster upgrade-revert show'  command.

hostname::*> system node upgrade-revert show

Node: hostname-01                                  Status:
                                                              complete

Status Message: The upgrade is complete.


Vers Phase      Status   Upgrade Phase Status Message
---- ---------- -------- ------------------------------------------------------
510  pre-root   applied  No upgrade is required for this phase.
510  pre-apps   applied  Upgrade successful.
510  post-apps  applied  Upgrade successful.
700  pre-root   applied  No upgrade is required for this phase.
700  pre-apps   applied  Upgrade successful.
700  post-apps  applied  Upgrade successful.
800  pre-root   applied  No upgrade is required for this phase.
800  pre-apps   applied  Upgrade successful.
800  post-apps  applied  Upgrade successful.
900  pre-root   applied  No upgrade is required for this phase.
900  pre-apps   applied  Upgrade successful.
900  post-apps  applied  Upgrade successful.
1100 pre-root   applied  No upgrade is required for this phase.
1100 pre-apps   applied  Upgrade successful.
1100 post-apps  applied  Upgrade successful.

Node: hostname-02                                  Status:
                                                              complete

Status Message: The upgrade is complete.


Vers Phase      Status   Upgrade Phase Status Message
---- ---------- -------- ------------------------------------------------------
510  pre-root   applied  No upgrade is required for this phase.
510  pre-apps   applied  Upgrade successful.
510  post-apps  applied  Upgrade successful.
700  pre-root   applied  No upgrade is required for this phase.
700  pre-apps   applied  Upgrade successful.
700  post-apps  applied  Upgrade successful.
800  pre-root   applied  No upgrade is required for this phase.
800  pre-apps   applied  Upgrade successful.
800  post-apps  applied  Upgrade successful.
900  pre-root   applied  No upgrade is required for this phase.
900  pre-apps   applied  Upgrade successful.
900  post-apps  applied  Upgrade successful.
1100 pre-root   applied  No upgrade is required for this phase.
1100 pre-apps   applied  Upgrade successful.
1100 post-apps  applied  Upgrade successful.
30 entries were displayed.

 

Highlighted

Re: OpenSSH 7.4 Not Installed

ONTAP versions 9.3-9.7 have a base version of  OpenSSH 7.2p2.

 

If an advisory shows a versions of ONTAP as fixed then either a patch was back ported or a configuration change was made to prevent exploit.

Try the NEW Knowledgebase!
NetApp KB Site
Forums